How to allow clients to write to an S3 bucket only if the bucket is in a specific AWS account?
0
These are the general formats for Amazon Resource Names (ARNs):
- arn:partition:service:region:account-id:resource-id
- arn:partition:service:region:account-id:resource-type/resource-id
- arn:partition:service:region:account-id:resource-type:resource-id
[https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html][1]
The challenge with S3:
S3 buckets are globally unique (well, if we exclude Gov Cloud and China regions). That is why S3 ARNs do not include region and the AWS account ID:
arn:aws:s3:::examplebucket
Now, what the customer is saying:
- we own a bucket
- we write a policy allowing service X to write secret file Y to the bucket
- we delete the bucket (and its contents), forgetting about service X
- someone else creates a bucket and allows anybody to write to it
- service X writes to "the bucket" (now owned by someone else)
It would be trivial to avoid by only allowing service X to write to "bucket foo" in a particular account, but AWS IAM explicitly disallows bucket ARNs with account IDs in them.
Is there any workaround for this?
gefragt vor 4 Jahren976 Aufrufe
1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
The functionality that helps with validating bucket owner has been recently released:
Bucket Owner condition:
https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-owner-condition.html
beantwortet vor 4 Jahren
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 2 Jahren- AWS OFFICIALAktualisiert vor 3 Jahren